Securing your router with fwknop ('iptables -m comment' error)

I would really like to get fwknop working as it seems to offer superior security over other methods of opening external ports. Basically you have fwknopd running on Tomato and use a fwknop client which sends a packet to tomato with the port forwarding instructions. The ports will open for 30 seconds by default to allow new connections from your client's IP address (or any that you specify). The client is available for Unix, Windows, Andrioid, etc. The beautiful part is fwknopd can listen for the port knock while the port is closed (eg DROPed traffic) and the packet is encrypted with a shared key. So defeating this is very difficult.

This will allow new incoming connections for 30 seconds from the IP of your client (with "-R") to connect to tomato's port 2222 which will forward to port 22 of the internal computer 129.168.1.6.

But when I do this I get an error that iptables doesn't support '-m comment --comment blah'. Thinking the comments might not be required I removed them from the source code but it doesn't work correctly because the iptables comments are used find the iptables to close the ports.

Does anyone know how to get 'iptables' to support '-m comment'? Or is there some other way to get this working? Please share.

Put libipt_comment.so in a directory on its own somewhere (assuming you don't already have custom iptables libraries), then softlink /etc/iptext to that directory (so iptables knows where to look for yours). Put xt_comment.ko wherever you like and insmod it. To test:

With all the dire warnings about screwing myself I wasn't sure I should do it but your "Good luck" encouraged me on.

I'm glad to say it works perfectly! This is the best way to open ports on your router (until there is a better way)!

Just a few notes on how to set things up better. The "fwknopd.conf" file in my first post is only good for opening ports on the router. If you want to do a NAT to another computer or a local NAT to remap ports on your router you set it up like this in fwknopd.conf:

Here's some examples I tried (note for my testing I used "PCAP_INTF br0" in fwknopd.conf since I'm testing it on my internal network):

Code:

# Make tcp port 8021 on Tomato NAT to 80 (close after 500 seconds)
# Note: I increased the time the port stays open since each new page on Tomato asks
# for a new tcp connection. Since it is only open to the IP address I specified, it is not a big deal
fwknop -a 192.168.1.6 -D 192.168.1.1 -v -A tcp/8021 --nat-local --nat-port 80 --fw-timeout 500
firefox http://192.168.1.1:8021
# Open tcp port 8021 on Tomato (192.168.1.1) and forward it to port 22 on 192.168.1.6
# Note: Once logged in via ssh the connection will stay alive after the ports close
fwknop -a 192.168.1.6 -D 192.168.1.1 -v -A tcp/8021 --nat-access 192.168.1.6,22
ssh -p 8021 $USER@192.168.1.1

So with opening the ports to the WAN adds a few more issues because my work allows a few open outgoing ports. So I can't send a packet to port 62201 because it is blocked. So instead I use tcp/80 since that is almost always open wherever you go. So in your "fwknopd.conf" use:

Rodney, for other people that want to enjoy this, what hardware do you expect your iptables comment libraries to work on? It would be great if other people could join in on the encrypted port knocking fun!

In theory, the iptables library should work against any TomatoUSB, and the kernel module *may* work on any K26 build (it depends entirely on how patched it is...or not). There's no real way to tell short of trying.